Environment Specification

A product may be registered in all members of a binary-compatible family
of products on the basis of a single test report.

Answer the questions for each binary-compatible family. Alternately, provide
the answers in the Appendix at the end of this
document.

Testing Environment

Binary-compatible Family

Portability Environment

Indicator of Compliance

Compliance Details

None.

None.

None.

None.

None.

Temporary Waivers

Enter the waiver number and expiry date for each temporary waiver granted by The Open Group.

Waiver Number

Expiry Date

1.1 Security Mechanisms

Question 1: What security mechanisms are supported?

Response

For each supported mechanism, enter the mechanism's name, object
identifier (oid) and a reference to a published mechanism.
In the description box, enter a short description of the
mechanism and answer the following questions:

State whether additional token exchanges may be performed
in the course of context establishment (using
gss_s_continue_needed).

Describe all the qualities of protection that the
mechanism supports and give the numerical values that
identify them in C language binding function arguments.

State what the default quality of protection is.

Describe all the name formats that can be used in
conjunction with the mechanism, in particular giving
the oids associated with them and the character sets
and encodings that they use.

List and describe all the minor status codes associated
with the mechanism, giving the numerical values returned
by the functions in the C language binding.

Define all concrete data element formats. in particular,
the formats of all tokens that can be exchanged between
peer applications must be specified in detail.

Describe any constraints on channel binding formats,
including any constraints on addresses and address
types that may appear in them.

State whether expiration of credentials is supported and,
if so, give the default expiration time.

Name:

Object Id:

Reference:

For each of the following categories, state which features are supported.

Delegation

Mutual Authentication

Replay Detection

Out of Sequence Message Detection

Message Integrity

Confidentiality

Qualities of Protection

Name

Numerical Value

Description

What is the default quality of protection?

Name Formats

Format

Object Id

Character Set

Encoding

Minor Status Codes

Code

Numerical Value

Description

Define all concrete data element formats.

Describe any contraints...

Is expiration of credentials supported?
Yes
No

If so, what is the default expiration time?

Rationale

A conformant implementation must provide reference to the published
specifications that give a complete description of the security mechanism
or mechanisms concerned. The referenced material must address the
following areas of rationale:

In order to establish a security context successfully with a target
peer, it is necessary to identify an appropriate underlying
mechanism type supported by both initiator and target peers.

The underlying mechanism type may allow additional token exchanges to be
performed in the course of context establishment.

Some mechanism types provide their users with fine granularity control
over the means used to provide per-message protection, allowing callers
to trade off security processing overhead dynamically against the
protection requirements of particular messages.

The GSS-API avoids the prescription of naming structures, recognising
that different mechanisms process and authenticate names presented in
different forms.

The GSS-API provides for major and minor status return values. Minor
values provide more detailed status information and may include status
codes that are specific to the particular mechanism type.

Object identifiers must be assigned to candidate GSS-API mechanisms and
the name types they support. Concrete data element formats must be
defined for candidate mechanisms.

Agreements among mechanism implementors define conventional
interpretations for the contents of channel binding arguments,
including address specifiers (with content dependent on the communication
protocol environment) for context initiators and acceptors.
Individual mechanisms may impose additional constraints on addresses and
address types that may appear in channel bindings.

It is possible to request the desired number of seconds for which
a context should remain valid, supplying 0 to request a default
validity period. But the implementation may not support expiration
of credentials.

Reference

See the following sections of the X/Open CAE Specification,
Generic Service API (GSS-API) Base:

Question 6: If the answer to Question 5 is yes, and the name spaces
are in-built rather than user definable, what are their identification
details?

Response

For each supported name space, enter its name, object identifier (oid),
character set is uses (e.g. BASIC LATIN), character set encoding (e.g. ASCII)
and a brief description.

Name

Oid

Char Set

Encoding

Description

Rationale

The syntax of a printable name, as defined by the implementation, may be
dependent on the local system configuration or on individual user preference.
Where multiple name spaces are supported, the internal form of the name must
include fields that identify the name space from which the name is drawn.
The name from which a printable name is drawn is specified by an
accompanying object identifier.

1.4 Security Contexts

Question 8: Does the implementation allow the
gss_process_context_token() function to be used for deleting
security context?

Response

Yes
No

Rationale

There are two methods of deleting security context, the second of which is
optional:

The peers within a security context coordinate between themselves and both
sides issue their own calls to gss_delete_sec_context().

One peer uses gss_delete_sec_context() to delete its side of the
security context and to obtain a token to pass to the other peer.
The other peer uses the token in conjunction with
gss_process_context_token() to delete its side of the security
context.

Question 9: If the answer to Question 8 is yes, in what ways does
the effect of using one method vary as compared with the other? For
example, is one method less secure than the other?

Response

Please enter the differences starting on the next blank line below.
If there is no difference in effect between the two methods of
deleting security context, then simply enter the following text:
The effect is the same, whichever of the two methods is used
to delete security context.